Send collectd data to a local universal forwarder in ITSI
If you already have firewall rules and ports set up for a local universal forwarder, you can use those same settings to send metrics data from collectd through the local universal forwarder to Splunk IT Service Intelligence (ITSI). This makes it easier to monitor an entity in a closed network or large environment without creating new rules and ports. Configure collectd to send metrics data to a universal forwarder on a *nix host. You need to have already deployed collectd and a universal forwarder on a *nix host to follow these steps.
To send metrics data from collectd to the universal forwarder, configure a UDP port for the local universal forwarder and modify the collectd
write_splunk plug-in in
You set up collectd on the host. For more information, see one of these topics:
You set up a universal forwarder on the host to send data to ITSI. For more information, see one of these topics:
Follow these steps to start sending collectd data to a local universal forwarder.
1. Add a UDP network input
Configure a UDP input in
$SPLUNKFORWARDERHOME/etc/system/local/inputs.conf so the universal forwarder can receive data from collectd. Add this stanza with the following attributes:
[udp://<UDP_PORT>] index = em_metrics sourcetype = em_metrics_udp no_appending_timestamp = true
If you're using a different index for metrics, replace
em_metrics with the custom index.
For more information about configuring a UDP input, see Add a network input using inputs.conf in the Splunk Enterprise Getting Data In manual.
2. Modify the write_splunk plug-in
collectd.conf on the Linux or Unix host, modify the
write_splunk plug-in according to the following example. To find your
collectd.conf file, see collectd package sources, install commands, and locations.
<Plugin write_splunk> server "<UF hostname, IP, or localhost>" buffersize 9000 useudp true udpport <UDP_PORT> </Plugin>
buffersize is the size (in bytes) of the Send Buffer that the
write_splunk plug-in uses. You can increase the
buffersize if your operating system supports it.
3. Restart the universal forwarder and collectd
Restart the universal forwarder:
sudo service collectd restart
Collect data in ITSI with SELinux
Manually collect metrics from a *nix host in ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only, 4.7.0, 4.7.1, 4.7.2, 4.8.0 Cloud only, 4.8.1 Cloud only, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only